In our recent story about how we became HIPAA experts back in 2002, one of the things we saw even 2 decades ago was a need for a monthly security report. We knew that any obligations that stemmed from a federal regulation was going to involve auditors. And auditors need to see some solid evidence of compliance.
The first report that we sent out to the initial dozen customers who signed up for our monthly reports had 5 core sections:
- Account changes (add, remove, change)
- Backups (daily checks, weekly error review, monthly restore tests)
- Security Design Plan updates
- Security Log Reviews (daily checks)
- Vulnerability Scans (monthly checks, number of important issues mitigated)
The real motivator for us though was: I knew that committing to a monthly report would keep us focused on the commitments I made to our customers. I assumed maybe 2 of our customers would read every report, a few more would skim them or review one occasionally, and most would just file them away sight unseen. Since my motivation for these reports was internal, I put all my energy into honoring both the letter and the spirit of our commitment to our customers that we would do all that we promised. I sincerely believed that our customers would be better served if these important, routine tasks were consistently performed. And I was proud to reliably report that we consistently delivered.
Over time we added more and more tasks of our own volition to the monthly report without increasing the price. We saw that it was important to formally make note of any Security Incidents in the report, to review any Business Continuity Tests that were performed, and other tasks that were prompted by regulations but were also a good idea regardless.
I’m incredibly proud of these reports. I’m proud that we honored the intentions of the regulations to promote a more secure environment that protected sensitive Protected Health Information (PHI). That pride stems from how we demonstrated a commitment to ensuring a real, sustained security culture that continues to this day.
HIPAA compliance is very much still a priority, and there’s a growing momentum for more stringent IT security compliance mandates at the federal and state level to address the thousands of preventable cybersecurity incidents that happen every month. So many of the breaches and attacks could have been prevented with straightforward tactics. Even without regulation providing pressure, we actively work with all our contract customers to improve their security posture in every way possible. We understand that it is our job as your IT service provider to consider the risks and threats to your business and work to mitigate them on your behalf.
All of our NetVisor contract customers get an annual security risk assessment at no additional charge. All of our NetVisor contract customers are also in the best possible position to comply with HIPAA or any regulations, since we apply the lessons we learned in our own SOC 2 Type II compliance initiatives to our daily support and obligations to our contract customers. If you aren’t working with a group of experts who know how to take the headaches out of compliance for you, please reach out to us and send those duties over to us to handle on your behalf!